kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

daemon: allow "builtin" as valid value for seccomp profiles

Browse source 
This allows containers to use the embedded default profile if a different
default is set (e.g. "unconfined") in the daemon configuration. Without this
option, users would have to copy the default profile to a file in order to
use the default.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2021-06-07 14:25:52 +02:00
parent 68e96f88ee
commit f8795ed364
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C
3 changed files with 9 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
daemon/daemon_unix.go
View file

@ -1706,7 +1706,7 @@ func maybeCreateCPURealTimeFile(configValue int64, file string, path string) err
} }
func (daemon *Daemon) setupSeccompProfile() error { func (daemon *Daemon) setupSeccompProfile() error {
if daemon.configStore.SeccompProfile != "" { if daemon.configStore.SeccompProfile != "" && daemon.configStore.SeccompProfile != config.SeccompProfileDefault {
daemon.seccompProfilePath = daemon.configStore.SeccompProfile daemon.seccompProfilePath = daemon.configStore.SeccompProfile
if daemon.configStore.SeccompProfile != config.SeccompProfileUnconfined { if daemon.configStore.SeccompProfile != config.SeccompProfileUnconfined {
b, err := ioutil.ReadFile(daemon.configStore.SeccompProfile) b, err := ioutil.ReadFile(daemon.configStore.SeccompProfile)

4
daemon/seccomp_linux.go
View file

@ -26,7 +26,7 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
return nil return nil
} }
if !daemon.seccompEnabled { if !daemon.seccompEnabled {
if c.SeccompProfile != "" { if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault {
return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile") return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
} }
logrus.Warn("seccomp is not enabled in your kernel, running container without default profile") logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")
@ -35,6 +35,8 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
} }
var err error var err error
switch { switch {
case c.SeccompProfile == dconfig.SeccompProfileDefault:
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
case c.SeccompProfile != "": case c.SeccompProfile != "":
s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s) s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)
case daemon.seccompProfile != nil: case daemon.seccompProfile != nil:

5
integration/daemon/daemon_test.go
View file

@ -116,6 +116,11 @@ func TestConfigDaemonSeccompProfiles(t *testing.T) {
profile: "", profile: "",
expectedProfile: config.SeccompProfileDefault, expectedProfile: config.SeccompProfileDefault,
}, },
{
doc: "default profile",
profile: config.SeccompProfileDefault,
expectedProfile: config.SeccompProfileDefault,
},
{ {
doc: "unconfined profile", doc: "unconfined profile",
profile: config.SeccompProfileUnconfined, profile: config.SeccompProfileUnconfined,